CVE-2026-24043

EUVD-2026-5294

02.02.2026, 23:16

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
parall	jspdf	𝑥 < 4.1.0

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff

https://github.com/parallax/jsPDF/releases/tag/v4.1.0

https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422